fix(deps): upgrade mkdocs-material from 8.2.6 to 9.x

[agilgur5]

Partial fix for #12031, "Vulnerabilities"

Motivation

• 8.2.6 is 2 years old now
  • and there hasn't been an 8.x release since 9.0.0 was released 1.5 years ago
  • in particular, there are some CVEs in transitive deps of mkdocs-material now (such as urllib3 CVEs: GHSA-g4mx-q9vg-27p4, GHSA-hmv2-79q8-fv6g, GHSA-v845-jxx5-vc9f, etc)

Modifications

• make the upgrade to 9.x in docs/requirements.txt

  • none of the removals in 9.0.0 affect our usage
  • main noticeable changes I can see are some CSS improvements

• also remove fixed dep pins in docs/requirements.txt and use a range

  • ideally we should use poetry or similar and create a lockfile, but that's a separate topic with many more changes required -- this PR is focused on the upgrade

Verification

1. make docs

2. open site/index.html

3. Took a look around, all seemed well to me. Mermaid plugin works, Field Reference with md_in_html works, admonitions work

   • Screenshot of how admonitions look like now (compare to docs: describe containerset retrystrategy and verify it works. Fixes: #11502 #12809 (comment)):
     

Notes to Reviewers

• Dependabot didn't update this, I think that might have been because of either (or all of):
  • the fixed dep with no range
  • that there were no patches within the mkdocs-material 8.x range
  • no lockfile to independently update urllib3 etc without touching mkdocs-material

Future Work

Add poetry or Pipfile config and a lockfile

[agilgur5]

Add poetry or Pipfile config and a lockfile

Noting that both are supported by dependabot, as well as pip-compile

I was considering Pipfile just because it's default installed in many Python distributions, but Pipfile isn't officially supported by ReadTheDocs: readthedocs/readthedocs.org#3181 (comment).
Actually, Pipfile seems to be dead? https://github.com/pypa/pipfile had a last commit two years ago. That would explain the dependabot docs saying it only supports versions "<= 2021-05-29".
Not sure if Hatch is the new spec-compliant replacement https://github.com/pypa/hatch (both under pypa GH org)?

I prefer poetry myself (and contributed to it years ago when it was still alpha), and it has officially documented instructions for ReadTheDocs, so I guess that makes that decision easy moving forward

[agilgur5]

Oh I apparently haven't done a deep-dive on Python builds in a bit. With PEP 517 build backends were fully split (see also poetry-core), so now can install a poetry pyproject.toml even with pip (although it won't use the poetry.lock). This may be good enough for our use-cases -- or at least a first pass, so as to not have to change the build system too much (e.g. Makefile etc).

Need to do some more testing but working on that for a future PR.

[agilgur5]

Backported cleanly to release-3.5 as a20f695

[agilgur5]

Partial fix for #12031, "Vulnerabilities"

• in particular, there are some CVEs in transitive deps of mkdocs-material now (such as urllib3 CVEs: GHSA-g4mx-q9vg-27p4, GHSA-hmv2-79q8-fv6g, GHSA-v845-jxx5-vc9f, etc)

OpenSSF Scorecard is still detecting these Python CVEs, so I think it's actually finding them in the Python SDK, which does use urllib3 v1 directly. Since it's generated though, we can't just upgrade it... that actually requires a new version of openapi-generator-cli, which requires a breaking change to the SDK 😕 . See also #12866 which attempts to do that